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RESPONSE TO FINAL OFFICE ACTION DATED 



1/27/2005 
REMARKS 

Herein, the "Action" or "Office Action" refers to the Office Action 
identified in the above-identified title. 

Applicant respectfully requests reconsideration and allowance of all 
of the claims of the application. Claims 1-15, 18-26, and 28-35 are 
presently pending. Claims amended herein are 1, 8, 18, 23, 24, 28, and 29. 
Claims withdrawn or cancelled herein are 27. New claims added herein are 
none. 

Amendment to Specification 

Applicant rescinds its request for specification amendment found in 
the immediately previous response ("Response to Office Action dated 
7/1/2004"). Accordingly, Applicant amends the specification herein in a 
manner to restore the specification to its original condition before the 
previous specification amendment request. 

Request to Withdraw Finality 

Applicant respectfully requests that the Office withdraw the finality 
of this Office Action. Applicant asserts that the Office has not fully 
examined each and every claim. Rather, it appears that the Office has 
lumped together several claims under the same rejection without examining 
each independent of the other. 
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For example, in the previous Office Action, the Office rejected 
independent claims 8, 13, 23, and 24 for the same reasoning as it rejected 
claim 1. For example, in its rejection of claim 13, the Office indicates on p. 
4 of the previous Action, "As to independent claim 13, the claim 
incorporates substantially similar subject matter as claim 1 as is rejected 
along the same rationale." 

In its previous Response (p. 22), Applicant stated the following with 
regard to such blanket anticipation rejections of at least nominally different 
claims: 

While the Office's assertion (that this claim incorporates 
substantially similar subject matter as claim 1) may or may not be 
true, Applicant asserts that this independent claim is patentable 
different than claim 1; and therefore, it deserves to be examined 
on its own. 

In other words, Applicant is saying that the Office has the burden to 
show that the cited reference discloses each and every element and feature 
recited in each rejected claim and show that each element/feature operated 
together in the manner recited by each rejected claim. Applicant is saying 
that that the Office has not done that. 
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In this Action (p. 4), the Office's rejoinder to the Applicant is as 
follows: 

In response to applicants' arguments beginning on page 21 , with respect to 
independent claims 8 and 13, While the Office's assertion (that this claim incorporates 
substantially similar subject matter as claim 1) may or may not be true, Applicant 
asserts that this independent claim is patentable different that claim 1; and therefore, it 
deserves to be examined on its own". The Office does not agree these claims are 
substantially similar, if the applicant argument is that they are patentable different 
please indicate how the claims are different 

It appears that the Office is saying that the Applicant has the burden 
to show that the collectively rejected claims are patentably different from 
each other. Applicant disagrees. Applicant asserts that the burden remains 
with the Office. Applicant respectfully submits that the Office's refusal to 
fulfill its burden is sufficient reason for the removal of finality and if 
finality is not removed, then burden-unfulfillment is sufficient to prevail 
upon appeal. 

However, Applicant will discuss why these collectively rejected 
claims are patentably different. Doing so will help convince the Office to 
withdraw the finality of this Action and if not, then will bolster the 
Applicant's case on appeal. 

Below, Applicant reproduces the text of some of the collectively 
rejected claims in their form before any amendments herein. The 
differences between the claim itself and claim are highlighted and have 
comment balloons. 
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Please note that the highlighted differences are merely examples of 
differences. They are not intended to exhaust all possible differences 
between these claims. 

Before amendments herein, claim 1 recited: 

A method for accommodating a legacy application, the 
method comprising: 

obtaining a request for a high-level credential from a legacy 
application; 

marshalling the requested credential; 

returning the marshaled credential to the application. 

Applicant asserts that claim 8 recites at least three elements/features 
that are not recited in claim 1 . Before amendments herein, claim 8 recited: 

[in a computing environment where processes have a provision 
for low-level credentials but have no provision for high-level 

credentials!^ 
comprising : 

obtaining a request for a credential from a process, wherein 
the requested credential is a high-level credential; 

Iretrieving the requested credential from a d ata base!; 

[converting the requested high-level credential into a format 
approximating a low-level credential and representative of the 
requested high-level credential; 

returning the converted credential to the process. 



. Comment [keel]: Claim 
1 does not recite this. 



Comment [kcc2]: Claim 
1 does not recite a 
"retrieving" action. 



tomnteM^ p. 4 

bfithp|cte*We Office 
states that the term 
"marshaiiin^ (as used in 
claim i ) has the same 
meaning as "passing or 
transferring." If so, then the 
"converting" is not the same 
as "passing or transferring." 
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Applicant asserts that claim 13 recites at least three 
elements/features that are not recited in claim 1. Before amendments 
herein, claim 13 recited: 
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A method for authenticating a user to a network, the method 
comprising: 

obtaining a [request for a credential to authenticate the user to 
access a resource within the network;, , .wherein i.Jhe, resource, 
requires an appropriate credential before the user may access the 
resource; 

[locating the appropriate credential; 

[returning the appropriate credential to the resource within the; 
network, so that the resource allows the user to access such 
resourcej; 

[wherein the obtaining, locating, and returning are performed 
without user interaction so that the user need not be aware that 
such steps are being performed!. 



Comment [kcc4]: Claim 
1 does not specifically call 
out this feature/element. 



Comment [kcc5]: No 

recitation in claim 1 of a 
"locating" action. 



Comment [kcc6]: Again, 
not recited in claim 1 . 



Comment [kcc7]: Claim 
1 never mentions "user 
interaction" 
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In addition to the above-identified examples of features/elements 
recited in claims 8 and 13 that are not recited in claim 1, Applicant also 
asserts that the Office has indirectly indicated that these claims have 
patentable differences. 

If these collectively rejected claims (having the same statutory class) 
truly possess no patentable difference amongst them, then they would be 
identical. The Office cannot grant the Applicant multiple identical claims 
in the same statutory class. 

It appears that the Office is examining (albeit in a cursory manner) 
claims 1, 8, and 13, all of which are the same statutory class. However, the 
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Office has not indicated that these same-statutorily-classified claims are 
identical to each other. Instead, the Office's examination of these claims 
implies that the Office views these claims as being patentably different 
from each other. 

Further proof that the Office considers these claims to be different is 
that fact that the Office indicated in its Actions that these collectively 
rejected claims were "substantially similar" rather than identical or nearly 
identical. So, at its own admission, the Office does not view these claims 
as identical. 

Accordingly, in showing actual differences between the claims and 
in showing the Office's indirect indication of claim differences, Applicant 
has met the burden set by the Office (which burden the Applicant maintains 
that it does not have) to show patentable difference between these 
collectively rejected claims. 

Applicant respectfully requests that the Office remove finality and 
give Applicant a fully opportunity to respond to the rejections of each 
claim. 
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Substantive Claim Rejections 



Claim Rejections under §§ 102 & 103 

The Office rejects all of the pending claims under §102 and/or §103. 
For the reasons set forth below, the Office has not shown that cited 
references anticipate (under §102) the rejected claims. For the reasons set 
forth below, the Office has not shown made a prima facia case showing 
that the rejected claims are obvious (under §103). Accordingly, Applicant 
respectfully requests that the rejections be withdrawn and the case be 
passed along to issuance. 

The Office's rejections are based upon the following references: 

• Olden; Olden., US Patent No. 6,460,141 (issued 10/1/2002); 
and/or 

• McNabb; McNabb et aL, US Patent No. 6,289,462 (issued 
9/11/2001). 

Overview of the Application 

The Application describes a domain-authentication aware 
technology for managing credentials. In other words, an authentication by 
one resource in a trust network enables automatic (without manual user 
input) authenticated access to all resources in that trust network. 

With an implementation of this technology, concurrent 
authentications with multiple independent networks (e.g., domains) may be 
established and maintained. 
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With an implementation of this technology, a credential manager 
provides a credential model retrofit for legacy applications that only 
understand the password model. The manager marshals high-level 
credentials (such as a certificate) so that the high-level credential appears to 
be a low-level credential (such as a user/password) to legacy applications. 

With an implementation of this technology, a credential manager 
provides a mechanism where the application is only a "blind courier" of 
credentials between the trusted part of the OS to the network and/or 
network resource. The manager fully insulates the application from "read" 
access to the credentials. 

Cited References 

The Office cites Olden as its primary references in its anticipation- 
and obviousness-based rejections. The Office cites McNabb as its 
secondary reference in its obviousness-based rejection. 

Olden 

Olden describes a security and access management technology for 
Web-enabled and non- Web-enabled applications and content on a computer 
network. Olden describes a management model which brings together 
disparate infrastructure components, consolidates multiple security policies, 
and embraces both Web and emerging Internet technologies to properly 
address the security requirements of the Web. 
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Olden describes a uniform access management model to address the 
specific problems facing the deployment of security for the Web and non- 
Web environment. Unified access management consists of strategic 
approaches to unify all key aspects of Web and non-Web security policies, 
including access control, authorization, authentication, auditing, data 
privacy, administration, and business rules. Unified access management 
also addresses technical scalability requirements needed to successfully 
deploy a reliable unified Web and non-Web security system. 

Olden describes the technology required to support these key factors 
as they relate to Web and non-Web security. The described system operates 
in combination with network and system security tools such as firewalls, 
network intrusion detection tools, and systems management tools to provide 
comprehensive security for the Web-enabled enterprise. 

McNabb 

McNabb describes a technology for providing a trusted server which 
controls access to the execution of processes by applying file level 
extended sensitivity label attributes. The attributes are utilized to restrict 
execution of processes that are requested by comparing the extended 
attributes in addition to using standard file permission authorization. 
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Based upon Olden 

The Office rejects claims 1-2, 4-8, 10-24, and 26-35 under USC § 
102(e) as being anticipated by Olden. Applicant respectfully traverses the 
rejections of these claims. Based on the reasons given below, Applicant 
asks the Office to withdraw its rejection of these claims. 



Claim J 



As amended, this claim recites: 

A method for accommodating a legacy application, the legacy 
applicatio n having provisions for a low-level credential 
authoriza tion mod el which employs username-and-password 
based authorization, the method comprising: 

obtaining a request for a high-level credential from a legacy 
application, wherein a high-level credential authoriza tion model 
does not e mploy username-and- password ba sed authorization: 

marshalling the requested high-level credential, th§ 
marshalling is characterized bv converting a des cri ption of the 
high-level credential into a format recognizable as a low-level 
credentia l bv the legacy application employing a low-level 
credential authoriza tion model: 

returning the marshaled credential to the legacy application. 



The underscored text indicates the primary amendments to this claim 
which are done to clarify the meaning of "high-level credential" and 
"marshalling" and introduce "low-level credential." 
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In its rejection, Office indicates the following: 

As to independent claim 1, "A method for accommodating a legacy 
application, the method comprising: obtaining a request for a high-level 
credential from a legacy application; marshalling the requested credential; 
returning the marshaled credential to the application" is taught in 141 col. 25, 
lines 29-39. 

Applicant submits that the Office has not identified, with 
particularity, where each feature and element of this claim is found in the 
cited passage of the reference. Specifically, the Office has not shown 
where Olden discloses "high-level credentials" and "marshalling" as 
recited in this claim. 

High-Level Credential 

The cited portion (col. 25, lines 29-39) of Olden reads: 

For example, consider that user Steve may have one 
username/password for Web applications and a different usemame and 
password for a legacy application. Single sign on from the Web to the 
legacy application can be accommodated by storing the user's legacy 
credentials as user properties for Steve such as legacy_username and 
legacy_password in the entitlements database 32. The legacy Web 
application would then query the API and request the legacy_username 
and legacy_password for ct_username=steve. The results can then be 
transferred to the legacy application to be used in the logon procedure. 
Since this is performed programmatically, the user is not aware of the 
second logon process. To the user, it seems as if he or she only logged 
onto the Web site once. 
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A non-password authorization model (e.g., a X.509 Certificates) 
utilizes high-level credentials. However, most legacy applications have 
provisions for only the traditional username/password authorization model 
which is an example of a low-level credential 

This distinction between high- and low-level credentials is discussed 
through-out the Application. For example, this distinction is noted in the 
following section quoted the 3 rd paragraph of the "Summary" on p. 5 of the 
Application: 
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With an implementation of this technology, a 
credential manager provides a credential model retrofit for 
legacy applications that only understand the password 
model. The manager marshals high-level credentials (such 
as a certificate) so that the high-level credential appears to 
be a low-level credential (such as a user/ password) to 
legacy applications. 

This claim recites (with emphasis added): "obtaining a request for a 
high-level credential from a legacy application." 

Applicant submits the Olden does not do this. Instead, with Olden, 
authorization to access a first set of functionality based upon a traditional 
low-level credential (username/password pair) allows for automatic 
authorized access to a second set of functionality. This automatic 
secondary access is predicated upon the first authorization and is 
accomplished by retrieval of a databased low-level credential for this 
authorized access to a second set of functionality. 
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While Olden handles multiple credentials and allows for automatic 
access to additional functionality based upon authorization via only one set 

3 of credentials, Olden ONLY handles low-level credentials. It only handles 

4 the traditional username/password pair model. Applicant submits that 

5 Olden never discloses utilizing high-level credentials. Applicant submits 

6 that Olden never discloses utilizing certificates. 
In its "Response to Arguments" on p. 3 of the Action, the Office 

responded to Applicant's argument with the following: 
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In response to applicant's argument beginning on page 17, line 22 "the Applicant 
submits that the Office has not identified with particularity, where each feature and 
element of this claim is found in the cited passage of the reference ... each feature and 
element of this claim, 0 such as "High-Level Credential". The Office disagrees with 
argument although the term "High-Level Credential" is used this can have the same 
meaning as "password 0 or user name. Likewise, as the reference indicates smart rules 
can be used to set further limits on the distribution of credentials. 
Also in response to applicant's argument that the references fail to show certain 
features of applicants invention, it Is noted that the features upon which applicant relies 
(i.e. X.509) are not recited in the rejected claim(s), until claim 3, which is not 
incorporated in the independent claim or the other dependent claims. Although the 
claims are interpreted in light of the specification, limitations from the specification are 
not read into the claims. See In m Van Geuns, 988 F.2d 1 181 . 26 USPQ2d 1057 (Fed. 
Cir. 1993). Likewise claim 3, X.509 certificates was rejected under 35 U.S.C. 103 with 
the combination of references cited in the Office Action. 
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In response, Applicant amends to clarify terms recited in this claim. 
As amended, this claim includes text clarifying the meaning of "high-level" 
and "low-level" credentials. In particular, the additions clarify that "high- 
level" credentials does not include the traditional username/password pair 
authorization model, which is what Olden discloses. Thus is amendment 
clarifies the difference between this claim and what Olden discloses. 

Therefore, Applicant submits that Olden does not disclose "a 
request for a high-level credential," as recited in this claim. 



10 
11 

12 
13 
14 
15 

8 16 
in 

liSR In 

5 < 4 ^ a 

2 > <M CM CD 

5S|88f 

| aoiu: 1 19 



20 



21 



22 



23 



24 



25 



Marshalling 

Furthermore, Olden does not disclose "marshaling" as recited in this 
claim. Specifically, this claim recites (with emphasis added): "marshalling 
the requested [high-level] credential; returning the marshaled credential to 
the application." 

Pages 12-15 of the Application describe the concepts of 
"marshalling" and "marshaled credentials" in some detail. In the first 
paragraph on p. 12, this definition is provided: "Marshaling is the 
mechanism by which a description of a non-password credential can be 
passed to the TCB [Trusted Computing Base] using an interface designed 
to support only password credentials." 

In its "Response to Arguments" on p. 4 of the Action, the Office 
responded to Applicant's argument with the following: 
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In response to applicant's argument beginning on page 20, the Office has not - 
identified with particularity, where each feature and element of this claim is found in the 
cited reference" such as "Marshalling", The Office disagrees the term "marshaling" has 
the same meaning as passing or transferring. The Office Action shown this in the cited 
passage where the results are "transferred to the legacy application". 
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In response, Applicant amends to clarify terms recited in this claim. 
As amended, this claim includes text clarifying the meaning of 
"marshalling." In particular, the additions clarify that "marshalling" means 
more than simply "passing" or "transferring," which the Office indicates 
that Olden discloses. Thus is amendment clarifies the difference between 
this claim and what Olden discloses. 

Therefore, Applicant submits that Olden does not disclose the 
concepts of "marshalling" and "marshaled credentials," as recited in this 
claim. 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 

Claims 2-7 

These claims ultimately depend upon independent claim 1. As 
discussed above, claim 1 is allowable. 

In addition to its own merits, each of these dependent claims is 
allowable for the same reasons that its base claim is allowable. Applicant 
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submits that the Office withdraw the rejection of each of these dependent 
claims because its base claim is allowable. 

Claim 8 

The Office indicates that this claim incorporates substantially similar 
subject matter as claim 1 and is rejected along the same rationale. 

If this is true, the Applicant submits that this claim is allowable for 
same reasons given above as to why claim 1 is allowable. 

While the Office's assertion (that this claim incorporates 
substantially similar subject matter as claim 1) may or may not be true, 
Applicant asserts that this independent claim is patentable different than 
claim 1; and therefore, it deserves to be examined on its own. 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 

Claims 9-12 

These claims ultimately depend upon independent claim 8. As 
discussed above, claim 8 is allowable. 

In addition to its own merits, each of these dependent claims is 
allowable for the same reasons that its base claim is allowable. Applicant 
submits that the Office withdraw the rejection of each of these dependent 
claims because its base claim is allowable. 
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Claim 13 

The Office indicates that this claim incorporates substantially similar 
subject matter as claim 1 and is rejected along the same rationale. 

If this is true, the Applicant submits that this claim is allowable for 
same reasons given above as to why claim 1 is allowable. 

While the Office's assertion (that this claim incorporates 
substantially similar subject matter as claim 1) may or may not be true, 
Applicant asserts that this independent claim is patentable different than 
claim 1 ; and therefore, it deserves to be examined on its own. 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 

Claims 14-15 

These claims ultimately depend upon independent claim 13. As 
discussed above, claim 13 is allowable. 

In addition to its own merits, each of these dependent claims is 
allowable for the same reasons that its base claim is allowable. Applicant 
submits that the Office withdraw the rejection of each of these dependent 
claims because its base claim is allowable. 
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Claim 18 



As amended, this claim recites (in part): 

the TCB comprises: 

a credential management module configured to receive 
requests from the UTCL for a high-level credential for a resource, 
the high-level credential being associated with a use r and not 
being usern ame-and-password b ased authorization: 

The underscored text indicates the primary amendments to this claim 
which are done to clarify the meaning of "high-level credential." 
In its rejection, Office indicates the following: 

As to Independent claim 18, "A credential management architecture, 
comprising: a trusted computing base (TCB) that has 111 access to persisted 
credentials, the TCB being configured to interact with an entrusted computing 
layer (UTCL) that accesses the persisted credentials via the TCB; the TCB 
comprises: a credential management module configured to receive requests from 

the UTCL for a high level credential for a resource" is taught in '141 coL 3, lines 39- 

61; 

"the high level credential being associated with a user; a credential 
database associated with the user, wherein credentials are persisted within the 
database; the credential management module being configured to retrieve 
credentials from the database" is shown in r 141 col. 4 t lines 27-34, 
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Applicant submits that the Office has not identified, with 
particularity, where each feature and element of this claim is found in the 
cited passage of the reference. Specifically, the Office has not shown 
where Olden discloses "high-level credentials" as recited in this claim. 

The cited portions of Olden read: 

The security and access management system of the present 
invention, generally indicated by the numeral 10 in FIG. 1, is a 
highly scalable, reliable, and configurable security architecture. As 
shown in FIG. 1, the architecture for the security and access 
management system 10 comprises five main components: at least 
one authorization component 12; an entitlements (database) server 
component 14; an API server 16; an administrative client 
(graphical user interface) 18; and at least one enabled Web server 
20 connected to the remainder of the computer network, for 
example, over the Internet. The first three components are server- 
side components. Each of the server-side components will now be 
described in more detail. 



The authorization component 12 performs authorization 
processing on behalf of either an enabled Web server 20 or an API 
client 22. The authorization component 12 comprises an 
authorization server 24. Preferably, as shown in FIG. 1, the 
authorization component 12 comprises a plurality of authorization 
servers 24A, 24B, 24C and at least one authorization dispatcher 26. 
In order to avoid a single point source of failure, a plurality of 
authorization dispatchers 26A, 26B also preferably comprises the 
authorization component 12. [col. 3, lines 39-61] 



The entitlements server component 14 performs database 
processing on behalf of at least one entitlements manager 
administrative client 18 and the API server 16. In addition, the 
entitlements server component 14 also forwards requests from the 
entitlements manager administrative client 18 and API server 16 
to the authorization servers 24A, 24B, 24C comprising the 
authorization component 12. [col. 4, lines 27-34] 
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A non-password authorization model (e.g., a X.509 Certificates) 
utilizes high-level credentials. However, most legacy applications have 
provisions for only the traditional username/password authorization model 
which is an example of a low-level credential 

This distinction between high- and low-level credentials is discussed 
through-out the Application. For example, this distinction is noted in the 
following section quoted the 3 rd paragraph of the "Summary" on p. 5 of the 
Application: 
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With an implementation of this technology, a 
credential manager provides a credential model retrofit for 
legacy applications that only understand the password 
model. The manager marshals high-level credentials (such 
as a certificate) so that the high-level credential appears to 
be a low-level credential (such as a user/password) to 
legacy applications. 

This claim recites (with emphasis added): "a credential management 
module configured to receive requests from the UTCL for a high-level 
credential for a resource." 

Applicant submits the Olden does not do this. Instead, with Olden, 
authorization to access a first set of functionality based upon a traditional 
low-level credential (username/password pair) allows for automatic 
authorized access to a second set of functionality. This automatic 
secondary access is predicated upon the first authorization and is 
accomplished by retrieval of a databased low-level credential for this 
authorized access to a second set of functionality. 

35 
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While Olden handles multiple credentials and allows for automatic 
access to additional functionality based upon authorization via only one set 
of credentials, Olden ONLY handles low-level credentials. It only handles 
the traditional username/password pair model. Applicant submits that 
Olden never discloses utilizing high-level credentials. Applicant submits 
that Olden never discloses utilizing certificates. 

Therefore, Applicant submits that Olden does not disclose "a 
request for a high-level credential," as recited in this claim. 

In its "Response to Arguments" on pp. 4^5 of the Action, the Office 
responded to Applicant's argument with the following: 

In response to applicant's argument beginning on page 23, with respect to claim 
18 This distinction between high- and low-level credentials is discussed through-out the 
Application ... Applicant submits the Olden does not do this. Instead, with Olden 
authorization to access's first set of functionality based upon low-level credential 
(username/password pair) ... Olden ONLY handles low-level credentials". The Office 
riteaarees with araument as stated previously. A. The term high- or low-level 
credentials can have the same meaning as a current password verse and old password, 
or a user passing successful authentication. In addition as stated previously while the 
claims are interpreted in light of the specification, limitations from the specification are 
not placed into the claims. If the applicant wants to distinguish high-level credentials as 
X.509 this should be included In the independent claim, 

In response, Applicant amends to clarify terms recited in this claim. 
As amended, this claim includes text clarifying the meaning of "high-level 
credential." In particular, the additions clarify that "high-level" credentials 
does not include the traditional username/password pair authorization 
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model, which is what Olden discloses. Thus is amendment clarifies the 
difference between this claim and what Olden discloses. 

Therefore, Applicant submits that Olden does not disclose "a 
credential management module configured to receive requests from the 
UTCL for a high-level credential for a resource," as recited in this claim. 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 

Claims 19-22 

These claims ultimately depend upon independent claim 18. As 
discussed above, claim 18 is allowable. 

In addition to its own merits, each of these dependent claims is 
allowable for the same reasons that its base claim is allowable. Applicant 
submits that the Office withdraw the rejection of each of these dependent 
claims because its base claim is allowable. 

Claim 23 

The Office indicates that this claim incorporates substantially similar 
subject matter as claim 1 and is rejected along the same rationale. 

If this is true, the Applicant submits that this claim is allowable for 
same reasons given above as to why claim 1 is allowable. 

While the Office's assertion (that this claim incorporates 
substantially similar subject matter as claim 1) may or may not be true, 
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Applicant asserts that this independent claim is patentable different than 
claim 1; and therefore, it deserves to be examined on its own. 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 



Claim 24 

The Office indicates that this claim incorporates substantially similar 
subject matter as claim 8 and is rejected along the same rationale. 

If this is true, the Applicant submits that this claim is allowable for 
same reasons given above as to why claim 1 is allowable. 

While the Office's assertion (that this claim incorporates 
substantially similar subject matter as claim 8) may or may not be true, 
Applicant asserts that this independent claim is patentable different than 
claim 1; and therefore, it deserves to be examined on its own. 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 



Claims 25 % 26, and 28 

These claims ultimately depend upon independent claim 24. As 
discussed above, claim 24 is allowable. 

In addition to its own merits, each of these dependent claims is 
allowable for the same reasons that its base claim is allowable. Applicant 
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submits that the Office withdraw the rejection of each of these dependent 
claims because its base claim is allowable. 



Claim 29 

As amended, this claim recites (in part): 

a request obtainer configured to obtain a request for a high- 
level credential to authenticate the user to access a resource 
within the network, wherein the resource requires an appropriate 
credential before the user may access the resource, wherein a 
high-level credential d o not utilize username-and-pa ssword based 
for high-level credentia l authorization; 

a credential retriever configured to retrieve the appropriate 
high-level credential from a database of credentials; 

a credential marshaller configured to generate a 
representation of the high-level credential that is formatted as a 
low-level credential so that it appears to be a conventional 
username/password pair, wherein a low-level credential utilizes 
username-and-password based authorization : 

a credential returner configured to return the marshaled 
credential to the resource within the network, so that the resource 
allows the user to access such resource; 

wherein the obtainer, retriever, marshaller, and returner are 
further configured to operate without user interaction. 

The underscored text indicates the primary amendments to this claim 
which are done to clarify the meaning of "high-level credential" and "low- 
level credential." 
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As to independent claim 29, "A system for authenticating a user to a 
network, the system comprising: a request obtainer configured to obtain a 
request for a high level credential to authenticate the user to access a resource 
within the network" is taught in '141 col. 3, lines 39-61; 

"wherein the resource requires an appropriate credential before the user 
may access the resource; a credential retriever configured to retrieve the 
appropriate high-level credential from a database of credentials; a credential 
marshaller configured to generate a representation of the high-level credential 
that is formatted as a low-level credential so that it appears to be a conventional 
username/password pair; a credential returner configured to return the marshaled 
credential to the resource within the network, so that the resource allows the user 
to access such resource" is shown in '141 col. 4, lines 27-34; 

"wherein the obtainer, retriever, marshaller and returner are further 
configured to operate without user interaction" is disclosed in '141 col. 25, lines 39- 
41. 

Applicant submits that the Office has not identified, with 
particularity, where each feature and element of this claim is found in the 
cited passage of the reference. Specifically, the Office has not shown 
where Olden discloses "high-level credentials" as recited in this claim. 

A non-password authorization model (e.g., a X.509 Certificates) 
utilizes high-level credentials. However, most legacy applications have 
provisions for only the traditional username/password authorization model 
which is an example of a low-level credential. 

This distinction between high- and low-level credentials is discussed 
through-out the Application. For example, this distinction is noted in the 
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following section quoted the 3 rd paragraph of the "Summary" on p. 5 of the 
Application: 



With an implementation of this technology, a 
credential manager provides a credential model retrofit for 
legacy applications that only understand the password 
model. The manager marshals high-level credentials (such 
as a certificate) so that the high-level credential appears to 
be a low-level credential (such as a user/password) to 
legacy applications. 
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This claim recites (with emphasis added): "a request obtainer 
configured to obtain a request for a high-level credential to authenticate 
the user to access a resource within the network, wherein the resource 
requires an appropriate credential before the user may access the resource, 
wherein a high-level credential do not utilize username-and-password 
based for high-level credential authorization'' 

Applicant submits the Olden does not do this. Instead, with Olden, 
authorization to access a first set of functionality based upon a traditional 
low-level credential (username/password pair) allows for automatic 
authorized access to a second set of functionality. This automatic 
secondary access is predicated upon the first authorization and is 
accomplished by retrieval of a databased low-level credential for this 
authorized access to a second set of functionality. 

While Olden handles multiple credentials and allows for automatic 
access to additional functionality based upon authorization via only one set 
of credentials, Olden ONLY handles low-level credentials. It only handles 
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the traditional username/password pair model. Applicant submits that 
Olden never discloses utilizing high-level credentials. Applicant submits 
that Olden never discloses utilizing certificates. 

In its "Response to Arguments" on pp. 5-6 of the Action, the Office 
responded to Applicant's argument with the following: 
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In response to applicants argument beginning on page 29, with respect to claim 
29, the applicant proposes the same arguments that were previously presented 
concerning "High-Level Credential 0 and "Marshalling*. The Office disagrees with these 
arguments as previously indicated. The Office disagrees with argument although the 
term "High-Level Credential" is used this can have the same meaning as "password" or 
user name. Likewise, as the reference indicates smart rules can be used to set further 
limits on the distribution of credentials. It is noted that the features upon which applicant 
relies (i.e., X.509) are not recited in the rejected claim(s), until claim 3, which is not 
incorporated in the independent claim or the other dependent claims. The Office 
disagrees the term "marshaling" has the same meaning as passing or transferring. 

In response, Applicant amends to clarify terms recited in this claim. 
As amended, this claim includes text clarifying the meaning of "high-level" 
and "low-level" credentials. In particular, the additions clarify that "high- 
level" credentials does not include the traditional username/password pair 
authorization model, which is what Olden discloses. Thus is amendment 
clarifies the difference between this claim and what Olden discloses. 

Therefore, Applicant submits that Olden does not disclose "a 
request obtainer configured to obtain a request for a high-level credential 
to authenticate the user to access a resource within the network, wherein 
the resource requires an appropriate credential before the user may access 

42 
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the resource, wherein a high-level credential do not utilize username-and- 
password based for high-level credential authorization" as recited in this 
claim. 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 

Claims 30-31 

These claims ultimately depend upon independent claim 29. As 
discussed above, claim 29 is allowable. 

In addition to its own merits, each of these dependent claims is 
allowable for the same reasons that its base claim is allowable. Applicant 
submits that the Office withdraw the rejection of each of these dependent 
claims because its base claim is allowable. 
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Claim 32 
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This unamended claim for an application programming interface 
(API) method recites: 

• receiving a CredUI-promptfor-credentials call having a set of 
parameters comprising a TargetName, Context, AuthFlags, 
and Flags; 

• parsing the call to retrieve the parameters to determine a 
specified resource; 

• obtaining a credential; 

• associating the credential with the specified resource; 

• persisting the credential into a database while maintaining 
the credential's association with the specified resource. 

The Office cites col. 3, lines 39-61 and col. 9, line 27 through col. 
10, line 36 of Olden and, by doing so, indicates that the cited portion of the 
reference discloses all of the elements and features of this claim. 

However, the Applicant submits that the Office has not identified, 
with particularity, where each feature and element of this claim is found in 
the cited passage of the reference. Furthermore, the Office has not 
provided any reasoning, explanation, or rationale as to its assertion that the 
cited portions of Olden disclose all of each feature and element of this 
claim, 

In particular, the Office has not identified, nor can Applicant find, 
where Olden discloses "receiving a CredUI-promptfor-credentials call 
having a set of parameters comprising a TargetName, Context, AuthFlags, 
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and Flags." No where does Olden disclose a call with these particular set 
of parameters. 

In its "Response to Arguments" on pp. 6-7 of the Action, the Office 
responded to Applicant's argument with the following: 

In response to applicant 1 s arguments beginning on page 33, with respect to claim 
32, In particular, the Office has not identified, nor can Applicant find, where Olden 
discloses "receiving a CredUl-promptfor-credentials call having a set of parameters 
comprising a TargetName, Context, AuthFlags and Flags". The Office disagrees the 
reference shows many examples of these steps, for exampled see col. 9, lines 27-51 
"During a request" same meaning as "CredUl-promptfor-credentials" 

"different application functions 84 to which the customer has access rights, and 
returns the correct interface which support the function sef has the same meaning as 
"set of parameters* 

as well as see col 17, line 65 through col. 18, line 59 "Smart rules are filters that 
govern user access to applications. When a smart rule is defined for an application in 
order to determine authorization, the security and access management system 10 
examines a property for a specific user, and grants or denies access to an application 
resource based on the value found" has the same meaning as TargetName, Context, 
AuthFlags, and Flags* 



In response, Applicant points to the specificity of the claim 
recitation. In particular, this claim indicates that the received call has a 
defined set of parameters that comprise the following specifically recited 
parameters: "TargetName, Context, AuthFlags, and Flags." 

It appears to the Applicant that the Office is combining two 
extrapolated and generalized conclusions about Olden and equating it to a 
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very specific and explicit recitation in the claim language. If the Office is 
correct then these two statements are equivalent: 
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The following is a direct quote from this claim: 

...receiving a CredUI-promptfor-credentials call having a set 
of parameters comprising a TargetName, Context, AuthFlags, and 
Flags... 

The following is the same quoted language but Applicant has 
replaced the language that the Office equates to being disclosed in Olden 
(minor edits are done to make the replaced language make better 
grammatical sense): 

... receiving a request [a CredUI-promptfor-credentials call] 
having a correct interface to support the function set to which the 
customer has access rights, fa set of parameters] comprising 
filters governed by smart rules (when a smart rule is defined for an 
application in order to determine authorization, the security and 
access management system examines the property of a specific 
user and grants or denies access to an application resource based 
on the value found) [a TargetName, Context, AuthFlags, and 
Flags]... 

Again, if Olden truly discloses the language recited in this claim, 
then the above two statements would be identical in meaning. Not only 
would they be identical they would be neither broader nor narrower than 
each other in meaning. 
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Applicant hopes that the reader of this can see that these two 
statements are not identical. Even assuming the best case for the Office, 
Olden, at best, discloses a generalization of the recited language. But, of 
course, Applicant does not think that Olden even discloses that. 

Applicant asks the Office to identify, with particularity, where 
Olden discloses each of these parameters which have been expressly 
recited in this claim. Where does Olden expressly disclose a 
"TargetName" parameter? Where does Olden expressly disclose a 
"Context" parameter? Where does Olden expressly disclose a "AuthFlags" 
parameter? Where does Olden expressly disclose a "Flags" parameter? 

Furthermore, Applicant submits that Olden does not disclose the all 
of the steps of this method (parsing a call; obtaining a credential; 
associating; and persisting) generally or specifically. For example, Olden 
does not disclose "associating the [obtained] credential with the specified 
resource." 

If Olden does disclose these things, Applicant asks that the Office 
identify where it discloses it with particularity. 

In its "Response to Arguments" on p. 7 of the Action, the Office 
responded to Applicant's argument with the following: 

In response to applicant's argument on page 34, with respect to claim 32, 
"Furthermore, Applicant submits that Olden does not disclose the all of the steps of this 
method (parsing a call; obtaining a credential; associating; and persisting) generally or 
specifically". The Office disagrees this is shown throughout the reference see col. 17, 
line 65 through 18, line 59 above. Note database processing performs the tasks 
Applicant is claiming, i.e. parsing, obtaining, associating, persisting ect 
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In response, Applicant points out that the Office did not point out, 
with particularly, where Olden expressly discloses the steps of this method 
(parsing a call; obtaining a credential; associating; and persisting). Rather, 
the Office notes that that Olden discloses "database processing" and that it 
must necessarily perform the tasks as recited in this claim. 

Applicant respectfully disagrees with this conclusion. Applicant 
requests proof for the Office's inherency position. 

Furthermore, even if the Office is right, that does not mean that 
"database processing" inherently includes the tasks recited in this claim in 
the manner that they are recited. For example, Applicant asks how it is 
possible inherent to Olden's "database processing" that it would "persist[] 
the credential into a database while maintaining the credential's association 
with the specified resource?" 

As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 

Claim 33 

This claim ultimately depends upon independent claim 32. As 
discussed above, claim 32 is allowable. 

In addition to its own merits, this dependent claim is allowable for 
the same reasons that its base claim is allowable. Applicant submits that 
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the Office withdraw the rejection of this dependent claim because its base 
claim is allowable. 

Claim 34 

This claim for an application programming interface (API) method 
recites: 

• receiving a CredUI-promptfor-credentials call having a set of 
parameters comprising a TargetName, UserName, Password, 
and Flags; 

• parsing the call to retrieve the parameters to determine a 
requesting application; 

• obtaining a low-level credential from a user, wherein such 
credential includes a username and a password; 

• returning the low-level credential to the requesting 
application. 

The Office cites col. 3, lines 39-61 and col. 9, line 27 through col. 
10, line 36 of Olden and, by doing so, indicates that the cited portion of the 
reference discloses all of the elements and features of this claim. 

However, the Applicant submits that the Office has not identified, 
with particularity, where each feature and element of this claim is found in 
the cited passage of the reference. Furthermore, the Office has not 
provided any reasoning, explanation, or rationale as to its assertion that the 
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cited portions of Olden disclose all of each feature and element of this 
claim, 

In particular, the Office has not identified, nor can Applicant find, 
where Olden discloses "receiving a CredUI-promptfor-credentials call 
having a set of parameters comprising a TargetName, UserName, 
Password, and Flags." No where does Olden disclose a call with these 
particular set of parameters. 

In its "Response to Arguments" on pp. 7-8 of the Action, the Office 
responded to Applicant's argument with the following: 

In response to applicant's argument on page 35, with respect to claim 34 "In 
particular, the Office has not identified, nor can Applicant find, where Olden discloses 
"receiving a CredUI-promptfor-credentials call having a set of parameters comprising a 
TargetName. Context, AuthRags and Flags". The Office disagrees the reference shows 
many examples of these steps, for exampled see col, 9, lines 27-51 

"During a request" same meaning as "CredUI-promptfor-credentiafs" 
"different application functions 84 to which the customer has access rights, and 
returns the correct interface which support the function set" has the same meaning as 
"set of parameters" 

see col. 17, line 65 through col. 18, lines 59 'Smart rules are filters that govern 
user access to applications. When a smart rule is defined for an application in order to 
determine authorization, the security and access management system 10 examines a 
property for a specific user, and grants or denies access to an application resource 
based on the value found" has the same meaning as "TargetName, Context, AuthFlags, 
and Flags" 
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In response, Applicant points to the specificity of the claim 
recitation. In particular, this claim indicates that the received call has a 
defined set of parameters that comprise the following specifically recited 
parameters: "TargetName, UserName, Password, and Flags." 

It appears to the Applicant that the Office is combining two 
extrapolated and generalized conclusions about Olden and equating it to a 
very specific and explicit recitation in the claim language. If the Office is 
correct then these two statements are equivalent: 



The following is a direct quote from this claim: 

...receiving a CredUI-promptfor-credentials call having a set 
of parameters comprising a TargetName, UserName, Password, 
and Flags... 



The following is the same quoted language but Applicant has 
replaced the language that the Office equates to being disclosed in Olden 
(minor edits are done to make the replaced language make better 
grammatical sense): 

... receiving a request [a CredUI-promptfor-credentials call] 
having a correct interface to support the function set to which the 
customer has access rights, \a set of parameters] comprising 
filters governed by smart rules (when a smart rule is defined for an 
application in order to determine authorization, the security and 
access management system examines the property of a specific 
user and grants or denies access to an application resource based 
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Again, if Olden truly discloses the language recited in this claim, 
then the above two statements would be identical in meaning. Not only 
would they be identical they would be neither broader nor narrower than 
each other in meaning. 

Applicant hopes that the reader of this can see that these two 
statements are not identical. Even assuming the best case for the Office, 
Olden, at best, discloses a generalization of the recited language. But, of 
course, Applicant does not think that Olden even discloses that. 

Applicant asks the Office to identify, with particularity, where 
Olden discloses each of these parameters which have been expressly 
recited in this claim. Where does Olden expressly disclose a 
"TargetName" parameter? Where does Olden expressly disclose a 
"UserName" parameter? Where does Olden expressly disclose a 
"Password" parameter? Where does Olden expressly disclose a "Flags" 
parameter? 

Furthermore, Applicant submits that Olden does not disclose the all 
of the steps of this method (parsing a call; obtaining a credential; 
associating; and persisting) generally or specifically. For example, Olden 
does not disclose "associating the [obtained] credential with the specified 
resource." 

If Olden does disclose these things, Applicant asks that the Office 
identify where it discloses it with particularity. 



Serial No.: 09/757,058 

Atty Docket No.: MSl-679us 

RESPONSE TO FINAL OFFICE ACTION DATED 

1/27/2005 



52 



0505051654 G:\MS1-0\679us\MS 7-679us.m02.doc 
atty: Kasey C. Christie 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 

E 

817 
to 

CD 

| 19 
20 

I 21 
i 22 
23 
24 
25 



As shown above, Olden does not disclose all of the claimed 
elements and features of the claim. Accordingly, Applicant asks the Office 
to withdraw its rejection of this claim. 



Claim 35 

This claim ultimately depends upon independent claim 34. As 
discussed above, claim 34 is allowable. 

In addition to its own merits, this dependent claim is allowable for 
the same reasons that its base claim is allowable. Applicant submits that 
the Office withdraw the rejection of this dependent claim because its base 
claim is allowable. 
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Obviousness Rejections 

Lack of Prima Facie Case of Obviousness (MPEP $ 2142) 

Applicant disagrees with the Office's obviousness rejections. 
Arguments presented herein point to various aspects of the record to 
demonstrate that all of the criteria set forth for making a prima facie case 
have not been met. 
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Based upon Olden and McNabb 

The Office rejects 3, 9, and 25 under USC § 103(a) as being 
unpatentable over Olden as modified by McNabb. Applicant respectfully 
traverses the rejections of these claims. Applicant asks the Office to 
withdraw its rejection of these claims. 

These claims ultimately depend upon independent claims 1, 8, 
and/or 24. As discussed above, these claims are allowable. 

In addition to its own merits, each of these dependent claims is 
allowable for the same reasons that its base claim is allowable. Applicant 
submits that the Office withdraw the rejection of each of these dependent 
claims because its base claim is allowable. 

Dependent Claims 

In addition to its own merits, each dependent claim is allowable for 

the same reasons that its base claim is allowable. Applicant submits that 

the Office withdraw the rejection of each dependent claim where its base 
* 

claim is allowable. 
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1 Conclusion 

2 All pending claims are in condition for allowance. Applicant 

3 respectfully requests reconsideration and prompt issuance of the 

4 application. If any issues remain that prevent issuance of this application, 

5 the Office is urged to contact the undersigned attorney before issuing a 

6 subsequent Action. 
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